Jump to content


Photo

IPv6 Leakage and DNS Hijacking

Security

Best Answer Staff, 11 May 2015 - 10:20 AM

Hello!

 

AirVPN is not vulnerable to DNS hi-jacking because VPN DNS server and gateway IP addresses match.

 

The paper is outdated because their tests were performed on VPN servers with a /30 topology that we kept to maintain compatibility with Windows OpenVPN 2.0.9 and some older versions. After the draft paper preview they kindly provided us with months ago, we decided to speed up Windows OpenVPN 2.0.9 support drop, which made sense in 2010 but not now.

 

Current topology allows to have the same IP address for VPN DNS server and VPN gateway, solving the vulnerability at its roots, months before the publication of the paper.

 

Unfortunately they could not manage to fix the paper, purely for problems of time we suppose, which remained outdated.

 

The quickest way to prevent IPv6 leaks with our service is just enabling Network Lock with a click, for those who don't want to disable IPv6. You can also disable IPv6 with a click, provided that you run our client Eddie for Windows or OS X (version 2.9 or higher is required; feature not available in Eddie for Linux).

 

Kind regards

Go to the full post


  • This topic is locked This topic is locked
33 replies to this topic

#21 tillsky

tillsky

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 07 July 2015 - 06:41 PM

his is good, but I've always been a bit confused by the IPv6 options. It can be either "none" or "disable", right? Disable seems obvious, but what does none do? Just do nothing/ignore IPv6 traffic? I feel like the wording could be a bit clearer because "none" could also be taken to mean that it allows no IPv6. Or "disable" could mean that you're disabling the option to control IPv6.

 

Also, is that feature going to come to Linux in the future?

Good question. Still not answered after 3 days. Win client help does not "know" the feature. Anybody of AIRVPN staff willing to answer? Or am I missing some doc?



#22 Old Man Internet

Old Man Internet

    Newbie

  • Members
  • Pip
  • 8 posts

Posted 08 July 2015 - 01:34 AM

I saw this study today and came to ask about it, I'm glad the airvpn staff were notified and able to fix it before publication. They also, and it's good advice, recommend to check out http://www.ipleak.net - if you're using Firefox it shows how to disable WebRTC near the bottom which is essential.

 

I agree with the comments about IPV6 and anonymity. If you're connected to an ISP or organization using Stateless DHCP (SLAAC), the MAC address (which is burned in to your network card/wireless interface; assuming you haven't spoofed it or are using something disposable) is used in the creation of the interface id portion of the address (EUI-64) and is trackable directly to your equipment.

 

Since the whole point is to have a unique address you can't use the IPV4 defense of "someone else had the IP when XYZ happened". Even if you're assigned one that doesn't use this process, the address space is so huge as to make re-using the addresses unnecessary which means you can be tracked with far greater accuracy.



#23 karn

karn

    Member

  • Members
  • PipPip
  • 15 posts

Posted 14 July 2015 - 10:31 AM

I think IPV 6 leakage is a huge topic and a hole in most VPN coverage including Airvpn. But I have not found a vpn service that works on IPV 6. For months I used Airvpn as well as other vpns on my android tablet thinking my IP address was hidden, because they all will connect with it and screen some traffic, but my IP, like many these days, aggressively pushes IPV 6 addresses and my tablet will leak whatever address that is, because one cannot disable IPV 6 in the android OS without rooting it. My research says that rooting is iffy and negates any resell value; plus the apps that claim to turn off IPV6 on a rooted device are iffy and frequently "forget"

 

As android has the largest  market share of mobile devices (phones and tablets) and more and more IPs are pushing IPV 6, there is a huge security gap particularly fo those who travel a lot and are dependent on public wireless internet; even secured home devices are vulnerable to friendly neigborhood hacking hobbyists. Most routers do not allow disabling IPV 6.

 

Airvpn is the best vpn service I have ever used and no problem on my Windows machine where IPV 6 can be disabled, couple with a network lock, but not so good on my mobile devices.

 

Anyone know of any work arounds I have not discovered?



#24 gajanq1

gajanq1

    Member

  • Members
  • PipPip
  • 10 posts

Posted 14 July 2015 - 03:45 PM

I didn't realise the privacy loophole in IPv6 until I stumbled upon this thread. Thumbs up !



#25 wherewolf

wherewolf

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 10 November 2016 - 10:57 AM

I saw this study today and came to ask about it, I'm glad the airvpn staff were notified and able to fix it before publication. They also, and it's good advice, recommend to check out http://www.ipleak.net - if you're using Firefox it shows how to disable WebRTC near the bottom which is essential.

 

I agree with the comments about IPV6 and anonymity. If you're connected to an ISP or organization using Stateless DHCP (SLAAC), the MAC address (which is burned in to your network card/wireless interface; assuming you haven't spoofed it or are using something disposable) is used in the creation of the interface id portion of the address (EUI-64) and is trackable directly to your equipment.

 

Since the whole point is to have a unique address you can't use the IPV4 defense of "someone else had the IP when XYZ happened". Even if you're assigned one that doesn't use this process, the address space is so huge as to make re-using the addresses unnecessary which means you can be tracked with far greater accuracy.

 

​isn't that the whole point of using a vpn service with ipv6 support ? so the traffic originates from the vpn ipv6 address which hopefully provides for several users.



#26 Robotnik2017

Robotnik2017

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 07 December 2016 - 06:05 PM

I'm not technical enough to follow the foregoing, I just ask for help with a related issue. I'm using Opera, and although I've got Privacy Badger, etc, I try not to stifle Google too much for the sake of smooth-running. However, I noticed that DNS revealed my location (I got a targeted ad for where I live). If I block maps, doesn't that just mean my location doesn't show up on my screen but is available to Google, etc in any case? I've got a Web RTC extension and No Script Lite. I can't see the point - if my location shows up, surely my network traffic can be easily intercepted too? (I realize there's no guarantee of this not happening in any case if someone persistently wants it). What's the point of just stopping a map from being displayed on my screen? It looks like my ISP could analyze my traffic. My point is, I'm not sure if extensions and VPNs have much point if someone can locate me so easily, so I'm just wondering if the re-routing is merely cosmetic. Am I supposed to re-configure to Tor or something similar? It's reported to be very slow. When I used Firefox I put in all the fixes, but I'm not sure if even then more than a misleading difference occurs. Stuff like NoScript just means you can't fluently use the internet at all. I've found Adguard works pretty well, but it doesn't encrypt my connection. Apart from anything else, Opera just looks and works better.

 

Be grateful for any advice.

 



#27 Robotnik2017

Robotnik2017

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 07 December 2016 - 08:39 PM

Hello,

 

I think I worked this out - so dumb not to realize it before - I was logged in to my Google Account using Google Search and combined with Analytics and them knowing where I live in any case, it's no surprise.

The only point I'm unclear of is whether anyone's location can be found using something like GPS. Win 10 has a 'Find My Device' facility for example, and there's preyproject or lojack. I don't know enough about tech to understand how they do it, while it's obvious with a phone..



#28 Khariz

Khariz

    Advanced Member

  • Members
  • PipPipPip
  • 417 posts

Posted 08 December 2016 - 02:18 AM

Hello,

 

I think I worked this out - so dumb not to realize it before - I was logged in to my Google Account using Google Search and combined with Analytics and them knowing where I live in any case, it's no surprise.

The only point I'm unclear of is whether anyone's location can be found using something like GPS. Win 10 has a 'Find My Device' facility for example, and there's preyproject or lojack. I don't know enough about tech to understand how they do it, while it's obvious with a phone..

 

Yeah...I disable all location services for that reason.  got to ipleak.net and ask it to find your geolocation.  If it works, you are findable like that.  You can track down all of the settings in the brower and in windows to lock that down.  DNS and WebRTC are only a couple pieces of the puzzle regarding where you really are.  Geolocation is another, and it can be a big one.

 

When I do it, I get:

 

Geolocation detection
no.png User denied the request for Geolocation.


#29 Robotnik2017

Robotnik2017

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 08 December 2016 - 08:03 PM

Hi Khariz, thanks for taking the trouble to reply, I really appreciate it.

Yes, when I used Firefox with media,peer.connection disabled in about:config, and with Ghostery, Self-Destructing Cookies, NoScript, Privacy Badger, Https Everywhere, Adguard and a Web RTC controller on top of it all I couldn't locate a problem when I checked with Spyber, ipleak and dnsleaktest, etc. The thing I didn't look at was, as you helpfully point out, geolocation. I better re-write the script (pun) and try a more secure method. I suppose I could use duckduckgo or disconnect.me as search engines, and disable maps using Privacy Badger, but I still got to look at geolocation because it makes everything else futile. If you got any tips on doing it properly I sure would appreciate you taking the time to advise me. The only problem I state for myself is all these extensions slow down Firefox start-up, and break so many pages I end up having to allow scripts, including the omniscient Google Analytics to run despite all the security.

Thanks again and all the best,

Robotnik



#30 LZ1

LZ1

    It's nice to be nice to nice people

  • Moderators
  • 1953 posts

Posted 09 December 2016 - 01:24 AM

Hi Khariz, thanks for taking the trouble to reply, I really appreciate it.

Yes, when I used Firefox with media,peer.connection disabled in about:config, and with Ghostery, Self-Destructing Cookies, NoScript, Privacy Badger, Https Everywhere, Adguard and a Web RTC controller on top of it all I couldn't locate a problem when I checked with Spyber, ipleak and dnsleaktest, etc. The thing I didn't look at was, as you helpfully point out, geolocation. I better re-write the script (pun) and try a more secure method. I suppose I could use duckduckgo or disconnect.me as search engines, and disable maps using Privacy Badger, but I still got to look at geolocation because it makes everything else futile. If you got any tips on doing it properly I sure would appreciate you taking the time to advise me. The only problem I state for myself is all these extensions slow down Firefox start-up, and break so many pages I end up having to allow scripts, including the omniscient Google Analytics to run despite all the security.

Thanks again and all the best,

Robotnik

Hello!

 

I'd uninstall Adguard and the WebRTC blocker and instead install uBlock Origin. It can fill those two roles, such that you can spare one plugin perhaps. I'd also uninstall Ghostery, as they've been put in connection with some questionable practices. Lastly, you could then make a new profile for yourself. You could also consider running a clean browser in a VM.


Hi there, are you new to AirVPN? Many of your questions are already answered in this guide. Its Guides Section has guides on Linux/Torrenting/Blocked sites & many other topics too.
Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please read the First Questions section in the link above for more details, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Tired of Windows? Why Linux Is Better.

#31 Robotnik2017

Robotnik2017

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 10 December 2016 - 02:52 PM

Hi LZ1, great profile photo by the way - you don't look anything like a bandito. Thanks for taking time to reply. Sounds like good advice, so I'll give it a go. I've got Adguard desktop client, but I can disable it anytime I choose. I'll try uBlock Origin as you suggest. A 'clean browser in a VM' I'd have to figure out how to do it, but I'm sure plenty resources on-line to get help. As for the account, I''ll download latest Firefox (50?) and set it up for privacy. I've been a bit concerned about Ghostery for quite a while now, since the owners started asking users to give anonymous feedback and create an account too. Thanks again, you've been very helpful. Robotnik

#32 LZ1

LZ1

    It's nice to be nice to nice people

  • Moderators
  • 1953 posts

Posted 10 December 2016 - 03:05 PM

Haha, why thank you. It's meant to inspire.

In the uBlock settings, you can enable a WebRTC block. Otherwise enabling Network Lock will also sort out any WebRTC leaks really. Then you simply add lots of the various ad and malware lists, by checking the boxes in uBlock and clicking apply.

For the VM, you download virtualbox software. Then you download a torrent client like qBittorent. Then you go to a site like Linux tracker after setting uo qBittorent (guides in my new user guide) and download a Linux distribution. Such as Ubuntu or Linux Mint, for starters. After the download, you find a guide about how to set up that .iso Linux in the virtualbox software :). Then you'll be well on your way. It sounds/looks harder than it is when described, but fear not.

Sure, the latest Firefox is desirable. You can simply open the firefox profile manager by searching it in your OS. Then create a new profile with the click of a button. Then you go to that site and make a new FF profile, download it and use it to replace the aforementioned profiles folder. The ffprofile site also describes this process.

Thank you for being so polite :)

Sent to you from me with datalove

Hi there, are you new to AirVPN? Many of your questions are already answered in this guide. Its Guides Section has guides on Linux/Torrenting/Blocked sites & many other topics too.
Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please read the First Questions section in the link above for more details, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Tired of Windows? Why Linux Is Better.

#33 Robotnik2017

Robotnik2017

    Newbie

  • Members
  • Pip
  • 7 posts

Posted 10 December 2016 - 04:05 PM

Thanks LZ1. The VM thing's turned out to be a piece of cake really. You sure know your stuff. Like you say, it's probably easier to implement than understand from the instructions. Robotnik (my name's Alan, or Al, in fact, so like in the Paul Simon song, 'you can call me Al') Don't see how we could keep going without helpful people like yourself.

#34 LZ1

LZ1

    It's nice to be nice to nice people

  • Moderators
  • 1953 posts

Posted 10 December 2016 - 04:38 PM

Haha, no worries. I'm just 1 of many. I'll have to check out that song. Now that you have the VM up, you take a "snapshot" of whichever state you'd like to revert back to upon exit or when something goes wrong. Then you can use either the guest (the OS you installed in the VM) or the host OS to do certain kinds of browsing. If, in the VM network settings you enable Bridged Mode, it'll be as if you have 2 separate networks as well.

Good to meet you Al, just say so if there's anything else we can help you with :).

Sent to you from me with datalove

Hi there, are you new to AirVPN? Many of your questions are already answered in this guide. Its Guides Section has guides on Linux/Torrenting/Blocked sites & many other topics too.
Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please read the First Questions section in the link above for more details, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Tired of Windows? Why Linux Is Better.





Similar Topics Collapse


Also tagged with one or more of these keywords: Security

4 user(s) are reading this topic

0 members, 4 guests, 0 anonymous users

Servers online. Online Sessions: 14778 - BW: 45966 Mbit/sYour IP: 52.91.176.251Guest Access.